chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
everywhere: always use O_CLOEXEC where it makes sense
[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ca99da4909cac88b654779a86d0508945ec53f64..ffd707092c013d87553066f9ac46ff26a4cd2275 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -143,19 +143,6 @@
                 contain this file out-of-the-box.</para>
         </refsect1>
 
                 contain this file out-of-the-box.</para>
         </refsect1>
 
-        <refsect1>
-                <title>Incompatibility with Auditing</title>
-
-                <para>Note that the kernel auditing subsystem is
-                currently broken when used together with
-                containers. We hence recommend turning it off entirely
-                by booting with <literal>audit=0</literal> on the
-                kernel command line, or by turning it off at kernel
-                build time. If auditing is enabled in the kernel,
-                operating systems booted in an nspawn container might
-                refuse log-in attempts.</para>
-        </refsect1>
-
         <refsect1>
                 <title>Options</title>
 
         <refsect1>
                 <title>Options</title>
 
@@ -204,9 +191,12 @@
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
-                                program. If this option is used, arguments
-                                specified on the command line are used
-                                as arguments for the init binary.
+                                program. If this option is used,
+                                arguments specified on the command
+                                line are used as arguments for the
+                                init binary. This option may not be
+                                combined with
+                                <option>--share-system</option>.
                                 </para></listitem>
                         </varlistentry>
 
                                 </para></listitem>
                         </varlistentry>
 
@@ -287,7 +277,34 @@
                                 the container. This makes all network
                                 interfaces unavailable in the
                                 container, with the exception of the
                                 the container. This makes all network
                                 interfaces unavailable in the
                                 container, with the exception of the
-                                loopback device.</para></listitem>
+                                loopback device and those specified
+                                with
+                                <option>--network-interface=</option>. If
+                                this option is specified the
+                                CAP_NET_ADMIN capability will be added
+                                to the set of capabilities the
+                                container retains. The latter may be
+                                disabled by using
+                                <option>--drop-capability=</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-interface=</option></term>
+
+                                <listitem><para>Assign the specified
+                                network interface to the
+                                container. This will move the
+                                specified interface from the calling
+                                namespace and place it in the
+                                container. When the container
+                                terminates it is moved back to the
+                                host namespace. Note that
+                                <option>--network-interface=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -321,7 +338,13 @@
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
-                                CAP_AUDIT_CONTROL.</para></listitem>
+                                CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+                                is retained if
+                                <option>--private-network</option> is
+                                specified. If the special value
+                                <literal>all</literal> is passed all
+                                capabilities are
+                                retained.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -424,8 +447,7 @@
                                 output by the tool itself. When this
                                 switch is used, then the only output
                                 by nspawn will be the console output
                                 output by the tool itself. When this
                                 switch is used, then the only output
                                 by nspawn will be the console output
-                                of the container OS
-                                itself.</para></listitem>
+                                of the container OS itself.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -440,13 +462,64 @@
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
-                                to start up a full Operating System in the
-                                container, as an init system cannot
-                                operate in this mode. It is only
-                                useful to run specific programs or
-                                applications this way, without
-                                involving an init
-                                system in the container.</para></listitem>
+                                to start up a full Operating System in
+                                the container, as an init system
+                                cannot operate in this mode. It is
+                                only useful to run specific programs
+                                or applications this way, without
+                                involving an init system in the
+                                container. This option implies
+                                <option>--register=no</option>. This
+                                option may not be combined with
+                                <option>--boot</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--register=</option></term>
+
+                                <listitem><para>Controls whether the
+                                container is registered with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
+                                a boolean argument, defaults to
+                                <literal>yes</literal>. This option
+                                should be enabled when the container
+                                runs a full Operating System (more
+                                specifically: an init system), and is
+                                useful to ensure that the container is
+                                accessible via
+                                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                                and shown by tools such as
+                                <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
+                                the container does not run an init
+                                system it is recommended to set this
+                                option to <literal>no</literal>. Note
+                                that <option>--share-system</option>
+                                implies
+                                <option>--register=no</option>.
+                                </para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--keep-unit</option></term>
+
+                                <listitem><para>Instead of creating a
+                                transient scope unit to run the
+                                container in, simply register the
+                                service or scope unit
+                                <command>systemd-nspawn</command> has
+                                been invoked in in
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+                                has no effect if
+                                <option>--register=no</option> is
+                                used. This switch should be used if
+                                <command>systemd-nspawn</command> is
+                                invoked from within an a service unit,
+                                and the service unit's sole purpose
+                                is to run a single
+                                <command>systemd-nspawn</command>
+                                container. This option is not
+                                available if run from a user
+                                session.</para></listitem>
                         </varlistentry>
 
                 </variablelist>
                         </varlistentry>
 
                 </variablelist>
Unnamed repository; edit this file 'description' to name the repository.